Site Navigation

Site Mobile Navigation

Fertile Ground for Nastiness

Social networks probably are more vulnerable to security problems. They're a perfect storm of risk factors: new designs and code, user input, and lots of connectivity.

Don't worry. In five years, there will be something even shinier -- and probably more dangerous.

Most security problems are due to bugs, in either the design of the system or in the programs that actually implement the design. You can add all the cryptography, all the strong passwords, etc., that you want --- but if a bad guy gets near a buggy system, you're in trouble.

From this perspective, something new is more likely to have security flaws: the designers may not understand all of the ramifications of the system precisely because it's so new, and the programmers haven't had a chance to shake out the bugs. Beyond that, code developed by start-ups is often written quickly, without all the design reviews, automated security analyses, and security training used by companies like Microsoft. The wonder isn't that there are holes; it's that there aren't more of them.

User-generated content --- the sine qua non of all modern Web sites --- is a separate problem, because it isn't controlled by the developer. Maybe the developer has considered and tested all reasonable pages --- but what happens if someone puts in 1,000-point type? Will that cause a problem? Perhaps not, but was it ever tested?

In the case of the most recent Twitter attack, the offending user content employed a language known as Javascript, a programming language. When you view a Web page that employs Javascript, your browser is actually running code sent to it by the Web site --- and in this case, by some other user of the Web site. It's supposedly a safe thing to do, but due to some bugs at Twitter, it was dangerous.

The particular class of flaw involved, known as a "cross-site scripting attack," has been known for many years, but it's not always easy to avoid the bugs, especially with uploaded user content. (I should add that although Javascript is used for many of the fancier features of some Web pages, most security people are terrified of it.)

Finally, social network sites make it easy for viruses and worms to spread. If my personal Web page is infected, it's only going to affect a few people, those who have some reason to visit it. By contrast, services like Twitter and Facebook are intended for frequent visits; new Tweets or status updates will be seen very soon by followers, friends, etc. That's great for keeping in touch, but it's also great for malware.

This doesn't mean one needs to avoid such services. However, at the moment they are probably more fertile grounds for nastiness. But don't worry; in five years, there will be something even newer and shinier -- and probably more dangerous.